Mobile device security

Suresh P K on how to cope with the security risks associated with mobile devices

If a mobile device or data medium does not have adequate protection, an unauthorised person could:

• Boot a PC using an external medium like a CD or USB memory stick and so access all the saved data without activating the operating system’s access control.
• Spy on confidential documents and information to either use or sell to a third party.
• Read key information or create passwords from the RAM (from swapfiles or hibernation files) and use these to access the user’s encrypted files or to gain access to the corporate network.
• Reconfigure the operating system’s security mechanisms so that they are no longer effective the next time the PC is booted.
• Use dictionary attacks to hack the local password database to acquire valid user passwords.
• Use the PC or data medium to import undesirable data and sneak in harmful programs that then compromise system stability.

Unauthorised persons who gain access to mobile devices and desktop PCs can compromise confidential data. For example, using copying tools an entire hard disk can be copied in a very short time and then data can be spied on at leisure without the user noticing the loss. To protect themselves effectively against these types of attacks, it is recommended that companies use special security software to complement the operating system’s own mechanisms and guard their PCs, operating systems and data against changes or unauthorised access. Companies need a security solution that can not only protect them against this threat but also ensure that unauthorised persons cannot access their saved data or the rest of their IT infrastructure.

The most important security mechanisms that can be used to protect against risks are encryption and user authentication. Operating systems usually have a range of basic functions for this purpose, but these are often not powerful enough to provide real IT security in a business environment. To equip themselves with protection beyond the operating system’s basic tool set, companies need additional security software which will either extend or replace the operating system’s protection mechanism.

Encryption Imperative

Reliable protection against data misuse means that all data must be encrypted, without exception. Although this sounds very obvious and simple, it is far from what’s happening in practice. There are applications which offer encryption options, but only for the specific file formats used by those particular applications. The security solution must perform encryption on the entire data medium (‘base encryption’); every character must be automatically encrypted or decrypted every time it is written or read, no matter which file it belongs to. This includes all the system data for the operating system or an application. The security solution must be able to support several generations of hardware and operating systems as well as the large number of file formats that are often involved in heterogeneous environments.

To save time when starting a system, and to conserve battery power, notebook users often use hibernation or ‘Suspend to Disk’ mode. In an unprotected notebook, this hibernation file is an attractive target for data thieves because it contains all the information present when the notebook was frozen, including all the files that the user had just been working on, or the keywords and even passwords in use at that time. To guarantee effective protection against data misuse, these hibernation files must also be encrypted, just like the other ‘invisible’ files.

Just like clients, exchangeable data media such as USB memory sticks or memory cards can get lost, stolen or misused by unauthorised users. The protection for exchangeable data media must not only ensure the confidentiality of the data saved on them, but also prevent the importing of harmful programs which a user might bring from home. This is why any security software used to protect the data on PCs against misuse should also be able to protect not only the client itself but also all the exchangeable data media commonly in use in the company.

Global Applicability

The algorithm used by the security solution is also a major factor. Public algorithms have the advantage that scientists and cryptographers all over the world have already tested their security and efficiency. The current standard for symmetrical encryption algorithms used to encrypt useful data is the AES algorithm with key lengths of 128 or 256 bits. A reliable security software system should offer this AES algorithm at the very least. In the international environment, the flexibility of encryption algorithms plays a major role: country-specific cryptographic regulations often mean that multinational companies can install encryption software at only some of their sites. The security solution must provide support for all the major public algorithms (such as AES, IDEA-128 and 3DES) used worldwide.

However, encryption by itself does not make a security solution. Equally important is an efficient way of authenticating users. The simplest method of user authentication is password-based. Most security solutions provide user ID and a password as a default mechanism. However, passwords can be passed on deliberately or even spied out. A second layer, such as a hardware token for authentication, can improve the reliability of the authentication process. Only a user who can provide a token and its pin will be authenticated.

Even the best security software is no good if it is not activated. To prevent an operating system from being manipulated from outside—for example, by booting with external media like CDs or USB sticks and then targeting the hard disk—a user’s access rights must be checked before the boot procedure itself. The security software must have Pre-Boot Authentication (PBA); this ensures that users are authenticated before the operating system boots.

The acceptance and therefore the actual implementation of security mechanisms in companies depend on how difficult or easy they are to use in daily operation. For a security solution to be accepted, it must be as invisible as possible for its end users. In the best-case scenario, apart from the necessary authentication, the user experience should not be altered in any way.

The security solution must provide a way to handle emergency situations such as password loss or the client operating system not booting up. The solution must have a range of recovery mechanisms for handling these situations. For instance, if the operating system can no longer be booted, it must still be possible to perform ‘emergency decryption’ of the data medium once correct authentication has been performed.

Suresh P K is with Ramco Systems.
E-mail: sureshpk@rsi.ramco.com